Virgin Berth

If there could be anything worse than the provenance and target of a Wallasey brick spawning an industry of conspiracy theorists, then it’s probably the Burning Question of whether Virgin Trains East Coast’s release of CCTV images of Jeremy Corbyn spurning unoccupied seats to enjoy the proletarian solidarity of the vestibule floor breached Data Protection laws. If I get through today without reading The Canary’s take on the matter, I will be a happy man.

Of course, the only sensible answer to the question is “It doesn’t matter“. But let’s ignore that obvious fact in favour of the following.

First, if Virgin Trains released unpixelated images of other passengers, this would be a breach of the first Data Protection principle on the basis that it would be unfair. There is no legitimate interest in doing so, and it is plainly unfair to publish images of ordinary passengers minding their own business. There is NO CHANCE ON EARTH than the Information Commissioner will take any action against Virgin for this as there is no harm to the passengers concerned, and harm is a vital threshold for any enforcement action. Individual passengers could sue, but again, they would have to demonstrate at least distress. I went from London to Edinburgh on Virgin East Coast once so I have some sympathy with this argument.

Of course, nobody would give a toss about this if it were not for the perceived slight to JC, so let’s get to that.

The first Data Protection principle requires that personal data should be processed fairly, lawfully and according to a set of conditions. Virgin’s disclosure must clear all three hurdles.

Fair – in the general sense of the word, I believe that the processing of Corbyn’s data was fair. Presumably without the company’s consent, Corbyn filmed a publicity stunt about the state of their trains. Even if the content was true, I believe Corbyn opened the door for Virgin to reply about the state of the train that Corbyn was on. Fairness does have a separate, specific meaning, which requires the organisation to tell the Data Subject who they are, what purposes the data is being used for, and anything else necessary to make the processing fair.

I can’t find the privacy notice for Virgin Trains East (if it’s not on the trains, that’s a breach), but Virgin Trains West Coast has a detailed policy on its website that includes improving customer service, monitoring operational incidents and verifying claims. If something similar is on the East Coast trains, I don’t think Corbyn has much room for complaint. I think that responding to an unauthorised publicity stunt on one of their trains is probably compatible with verifying claims and monitoring operational incidents. And besides, the Information Commissioner’s Office has invented and long tolerated a notion of ‘reasonable expectations’ – that you can do anything with personal data that the person would reasonably expect you to do. If Corbyn didn’t expect Virgin to look at their CCTV to verify his claim that the train was ‘ram-packed‘ (or even ‘rammed’ or ‘jam-packed’), he’s an idiot.

There is the nugget of an issue here – the public perception of CCTV is that it is used solely as a means of detecting and investigating crime. It isn’t – it’s used for a variety of civil, disciplinary and publicity purposes and there’s nothing in the Data Protection Act to prevent this. However, companies like the West and East Virgins tend to stress security and crime over all things when dealing with CCTV, and this creates an expectation of its own. Everything depends on the information available on the train that JC travelled on.

There is one exemption that might come to Virgin’s aid – Section 32 renders all of the First Principle void (and most of the others) if a disclosure is made for ‘journalistic purposes’ and the public interest in publication is incompatible with compliance with the principles. The language is important – one does not need to be a journalist, only to be processing for the purposes of journalism. This opens the door to widespread and enthusiastic flouting of DPA by all sorts of corporate interests, but I find it hard to dismiss the possibility altogether.

Lawful – I believe that the disclosure was lawful. A train is not a private place (except in the toilets and this probably not the time for me to raise the urban myth about CCTV in train toilets), and Corbyn’s personal data in this context is not confidential or private. I can see no other law that disclosing this data would breach, so I think they’re in the clear.

Condition – Schedule 6(2) of the Data Protection Act states that data can be processed (in this context, disclosed) if it is necessary for the purposes of a legitimate interest, as long as the processing does not prejudice the rights, freedoms or legitimate interests of the subject. Corbin made a claim about the conditions he found on a particular train – I believe that Virgin unquestionably have a legitimate interest in disclosing Corbyn’s personal data in order to comment on the accuracy of his claim. If Virgin released images of Corbyn unprompted, legitimate interests are out of the window. But Corbyn started the ball rolling, and I cannot see how the use of overt CCTV for this purpose prejudices his interests. Of course, if the images were used in a misleading way, again, legitimate interests is dead, but frankly, that’s a much bigger problem.

Other conditions might be engaged but unless Virgin have actively defamed Corbyn by photoshopping them to look like the train had seats when it didn’t (which is what I presume The Canary’s take is), I believe that the use of images was adequate, relevant, and not excessive (principle 3), and accurate (principle 4). One might question how long the images have been retained for (principle 5), but there is no statutory time period – Virgin simply have to justify that the retention period matches the purposes outlined under the first principle.

At its absolute worst, the release of Corbyn’s images might be unfair if the privacy notices on the train do not reasonably envisage the possibility of something like this happening. If Mr Corbyn was damaged in some way by this, the seriousness of the breach is increased, but not by much. It would be unlawful, but I see no public interest in taking action. Politics is a dirty business. Corbyn’s party breaches Data Protection all the time, so if he wants to take this up, he should do some digging in his own backyard.

And reserve a bloody seat next time.

UPDATE (24/8/16): The Information Commissioner has stated that they are “making enquiries” into Virgin’s disclosure of the CCTV images. The two possible enforcement routes available are a monetary penalty or an enforcement notice. The penalty requires the ICO to establish that there has been a serious breach of the Data Protection Act, likely to cause substantial damage or distress, and the data controller (Virgin Trains East Coast) either deliberately set out to breach the DPA, or knew (or ought to have known) that the breach would occur, and that the damage / distress would follow as a consequence. If you think that this incident meets that threshold, would you be interested in buying a used car?

The alternative is an enforcement notice. The enforcement notice can only apply if there is an ongoing breach that the data controller cannot or will not remedy. In other words, if Virgin promised never to disclose CCTV for publicity purposes again, it would be very difficult for the ICO to issue an enforcement notice. It would be disproportionate to take such significant action if it was clear that Virgin would not do the same thing again.

All this may be disappointing to those who wish to see Virgin, and its bearded figurehead, chastised for their assault on the integrity of JC, but this is not a serious breach. The NHS ignored opt-outs from the sharing of medical data for thousands of people over a prolonged period of time, and the worst that happened is that they were asked to sign an undertaking (an unenforceable public promise to behave better) at a time which best suited them in publicity terms. If you think that embarrassing Corbyn is worse than that, you ought to be ashamed of yourself.

The one good thing is that I don’t think the Labour Leader of Stockport Council, who moonlights as a Group Manager at the ICO, will end up dealing with the case. But who knows?

Comments

  1. Possible contravention of the purpose limitation principle, depending on (as you say) what notice they gave on the train. WP29 guidance gives an example of an employer who has set up cctv for purpose of security. They then use the cctv to prove that a worker is slacking on the job. This would be a breach of the purpose limitation principle, unless there is an appropriate exemption (unlikely).

  2. You don’t get to publish CCTV just because someone was being an ass, because that’s against the law. (And I like Corbyn but really don’t get why he thought that was acceptable.) https://www.gov.uk/data-protection-your-business/using-cctv

    • I’m not certain that this is the least well-informed comment that I have ever had on my blog, but I think it deserves a special mention. Thanks very much for either not reading or not understanding the blog that you’re commenting on.

%d bloggers like this: